Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In our mail server we are taking lots of hits. In the maillog there's a hell of rejected mail like these:
Code:
Apr 23 04:35:13 mail1 postfix/smtpd[31700]: NOQUEUE: reject: RCPT from unknown[119.153.14.231]: 554 <bob@domainname.net>: Recipient address rejected: User unknown in local recipient table; from=<hareme.com@shareme.com> to=<bob@domainname.net> proto=ESMTP helo=<localhost>
I Have a script which search for the IP and block those. I'm having problem if IP block the RCPT IP's. Instead i want to block the sender domain, like in this example, shareme.com. What's shall i modify in my script to do this? Thanks
Code:
#!/bin/bash
IPT=/sbin/iptables
LIMIT=10
cd /admin
# first get one minute of log
grep "`date +"%b %d %H:%M:" --date="1 minutes ago"`" /var/log/maillog > minutelog
# now extract the rejected attempts, sort and count uniq ip
cat minutelog | grep "reject:" | cut -d" " -f10 | cut -d"[" -f2 | cut -d"]" -f 1 | sort | uniq -c | sort -n | sed 's/^[ \t]*//' > tmp1
# for each line in result
while read line
do
MYCOUNT=`echo $line | cut -d" " -f1`
MYIP=`echo $line | cut -d" " -f2`
if [ $MYCOUNT -lt $LIMIT ] ;
then
echo $MYIP is ok: $MYCOUNT attempts
else
echo blocking the spammer at $MYIP with $MYCOUNT attempts
$IPT -I INPUT -i eth0 --proto tcp -s $MYIP --destination-port 25 -j DROP
echo $MYIP >> blocked.smtp
fi
done < tmp1
rm -f minutelog
rm -f tmp1
I'm not quite sure if using a domain name will help you completely solve the problem since iptables will resolve the domain name and block the IP. Maybe it's better to include nslookup or dig to get the IP for that domain and block it with
I'm not quite sure if using a domain name will help you completely solve the problem since iptables will resolve the domain name and block the IP. Maybe it's better to include nslookup or dig to get the IP for that domain and block it with
Thanks for you feedback. I need help on extracting the domain name from the maillog. With the current script i can extract the RCPT IP not the domain name. Thanks again.
Quick and dirty. You're already extracting the necessary lines from your log, right? Pipe the line into this, saving it in a variable and then block using iptables:
How about something like fail2ban which will watch the logs and if a particular sender triggers too many errors they get blocked, at least temporarily. of course you define what too many errors and temporarily are. This is usually enough to get these kinds of script - bots to go away. You can then create a blacklist in Iptables and permanently ban ones that are repeat offenders. Another suggestion might be to use rate limiting on Iptables based upon new connections to port 25. I also believe that Postfix also has rate limiting features that can be enabled, but it looks like you want something that works at a lower level.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.